Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/Kryptik.XS trojan and 10 other nasties


  • This topic is locked This topic is locked
30 replies to this topic

#1 p_mcc

p_mcc

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 17 July 2009 - 01:17 PM

Hi all, below is all the clues my computer's given me:

Symptoms: Redirect of google links to places like toseeka; and some audio playing,

seemingly when i leave the computer unattended for a few minutes (?) - linked to

files that appear on task manager as b.exe
When firefox opens, computer loads 2 lots of iexplore.exe files for seemingly no

reason

Also, google searches seem to consult google-analitycs rather than the correctly spelled google-analytics

Diagnosis: eset online scanner is finding lots of trojans in local settings (11 before i

told it to stop), such as:
variant of Win32/Kryptik.XS trojan (<<<<<twice)
Win32/PSW.WOW.NLN trojan
multiple threats
Win32/Olmarik.JK trojan (<<<<<twice)
a variant of Win32/TrojanDropper.Small.NJP trojan
a variant of Win32/TrojanDownloader.VB.NWU trojan
Win32/Agent.PTU trojan
a variant of Win32/TrojanClicker.Punad.AA trojan

i told it to stop, and it claims to have removed these. i include these below. missing

beginning of the directory on the screenshot is just your standard C:\

http://img146.imageshack.us/img146/7752/infectionlist3.jpg


Any help would be appreciated on where to go next.

Here's my DDS log:


DDS (Ver_09-06-26.01) - NTFSx86
Run by Phillip at 19:08:37.81 on 17/07/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.361 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Phillip\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows

live\WindowsLiveLogin.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WhatPulse] c:\progra~1\whatpu~1\WHATPU~1.EXE
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [Cognac] c:\docume~1\phillip\locals~1\temp\b.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [nlmo] c:\windows\jbfavjwx.exe
mRun: [# L"h'9Ӝ3rWc:\program files\istsvc\istsvc.exe] c:\windows\jbfavjwx.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [net] "c:\windows\system32\net.net"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05

\bin\npjpi160_05.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/games/popcaploader_v6.cab
DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab
DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} - hxxp://by108fd.bay108.hotmail.msn.com/activex/HMAtchmt.ocx
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - c:\program files\tiscali\tiscali internet\dlls\tiscalifilter.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\phillip\applic~1\mozilla\firefox\profiles\m8xty1l0.default\
FF - prefs.js: browser.search.selectedEngine - Merriam-Webster Dictionary
FF - prefs.js: browser.startup.homepage - hxxp://jcr.stcatz.ox.ac.uk/
FF - component: c:\documents and settings\phillip\application data\mozilla\firefox\profiles\m8xty1l0.default\extensions\{463f6ca5-ee3c-4be1-

b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - plugin: c:\program files\cambridgesoft\chemoffice2008\chem3d\npChem3DPlugin.dll
FF - plugin: c:\program files\cambridgesoft\chemoffice2008\chemdraw\NPCDP32.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-

ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-

ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-

ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-9 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-11-24 27784]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-9 298776]
S2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-9-19 1174152]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2009-07-17 18:03 <DIR> --d----- c:\program files\ESET
2009-07-17 15:58 67,072 a------- c:\windows\system32\drivers\stpqstvyfpfvbyxw.sys
2009-07-17 15:58 135,168 a------- c:\windows\msa.exe
2009-07-17 15:57 142,852 a------- c:\windows\system32\msxml71.dll
2009-07-17 15:57 110,592 a------- c:\windows\system32\net.net
2009-07-17 15:48 1,063,446 a------- c:\windows\system32\rn.tmp
2009-07-09 02:24 <DIR> --dsh--- c:\documents and settings\phillip\PrivacIE
2009-07-07 12:21 <DIR> --dsh--- c:\documents and settings\phillip\IETldCache
2009-07-07 01:58 102,912 -------- c:\windows\system32\dllcache\iecompat.dll
2009-07-07 01:58 <DIR> --d----- c:\windows\ie8updates
2009-07-07 01:57 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-07 01:57 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-07 01:55 <DIR> -cd-h--- c:\windows\ie8
2009-07-01 01:41 <DIR> --d----- c:\program files\Ventrilo
2009-07-01 01:41 262 a------- c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2009-06-24 22:11 <DIR> --d----- c:\program files\Three Rings Design
2009-06-24 15:26 3,248 a------- c:\windows\system32\wbem\Outlook_01c9f4d7c4998a34.mof
2009-06-24 11:38 <DIR> --d----- c:\program files\Seagate
2009-06-24 11:35 <DIR> --d----- c:\program files\common files\Wise Installation Wizard

==================== Find3M ====================

2009-07-05 14:16 58,088 a---h--- c:\windows\system32\mlfcache.dat
2009-06-16 15:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 15:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 15:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 15:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-12 08:47 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-03 20:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 20:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2009-05-17 08:52 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-13 06:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 06:15 5,936,128 -------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 06:15 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 16:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-30 22:22 1,985,024 -------- c:\windows\system32\dllcache\iertutil.dll
2009-04-30 22:22 11,064,832 -------- c:\windows\system32\dllcache\ieframe.dll
2009-04-30 22:22 1,207,808 -------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 22:22 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 22:22 385,536 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 12:21 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-29 05:55 133,120 a------- c:\windows\system32\dllcache\extmgr.dll
2009-04-28 10:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-08-08 12:59 232 a------- c:\documents and settings\phillip\options.dat
2005-09-24 23:18 32 a----r-- c:\documents and settings\all users\hash.dat
2008-08-30 04:24 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5

\mshist012008083020080831\index.dat

============= FINISH: 19:11:09.53 ===============

Attached Files



BC AdBot (Login to Remove)

 


m

#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:08:44 PM

Posted 27 July 2009 - 01:57 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Shannon

#3 p_mcc

p_mcc
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 27 July 2009 - 02:55 PM

Hi, thanks for the interim reply. I happen to be going on holiday Thursday morning (GMT), so I'll be checking the thread religiously to try and get this resolved ASAP.

Since I posted (and I discovered that I was not able to edit my post), I have run a few AVG and eset online scans - they claim to have removed a few trojans, but I still have symptoms. I also went in to run>msconfig and disabled b.exe from running on startup, since I'm fairly familiar with what runs on startup, and what doesn't. Disabling that seems to have stopped the background audio, and makes a difference.

However, the symptoms I have are:
-selective hijacking of google searches; 'bbc news' clickthroughs go through unhindered, whereas different search results get hijacked by different website (toseeka, etc)
-two ghost iexplore.exe programs running in the background; they regenerate upon taskmanager forced termination, and occasionally i get popups for some casino website, that only loads a white-content window (that might be IE's popup protection kicking in though). also i get balloon prompts seemingly on the desktop alerting me to compatability mode - obviously, the ghost IE windows are invisible and it's prompting from those. Also, inability to system restore (the next> button one after the date select won't do anything once clicked), and inability to use spybot - it runs the .exe according to task manager, but it's hidden on the desktop.

Here's my new DDS scan (sort utility told me it had a problem and needed to close, but was inconsequential; think this happened when I did the DDS for the OP)


DDS (Ver_09-06-26.01) - NTFSx86
Run by Phillip at 20:50:38.70 on 27/07/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.471 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE
C:\WINDOWS\system32\Tablet.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Phillip\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WhatPulse] c:\progra~1\whatpu~1\WHATPU~1.EXE
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [nlmo] c:\windows\jbfavjwx.exe
mRun: [# L"h'9Ӝ3rWc:\program files\istsvc\istsvc.exe] c:\windows\jbfavjwx.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\npjpi160_05.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/games/popcaploader_v6.cab
DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab
DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} - hxxp://by108fd.bay108.hotmail.msn.com/activex/HMAtchmt.ocx
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - c:\program files\tiscali\tiscali internet\dlls\tiscalifilter.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\phillip\applic~1\mozilla\firefox\profiles\m8xty1l0.default\
FF - prefs.js: browser.search.selectedEngine - Merriam-Webster Dictionary
FF - prefs.js: browser.startup.homepage - hxxp://jcr.stcatz.ox.ac.uk/
FF - component: c:\documents and settings\phillip\application data\mozilla\firefox\profiles\m8xty1l0.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - plugin: c:\program files\cambridgesoft\chemoffice2008\chem3d\npChem3DPlugin.dll
FF - plugin: c:\program files\cambridgesoft\chemoffice2008\chemdraw\NPCDP32.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-9 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-11-24 27784]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-9 298776]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-9-19 1174152]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2009-07-18 11:27 <DIR> --dsh--- c:\documents and settings\phillip\IECompatCache
2009-07-17 18:03 <DIR> --d----- c:\program files\ESET
2009-07-17 15:58 67,072 a------- c:\windows\system32\drivers\stpqstvyfpfvbyxw.sys
2009-07-17 15:57 142,852 a------- c:\windows\system32\msxml71.dll
2009-07-17 15:48 1,063,446 a------- c:\windows\system32\rn.tmp
2009-07-09 02:24 <DIR> --dsh--- c:\documents and settings\phillip\PrivacIE
2009-07-07 12:21 <DIR> --dsh--- c:\documents and settings\phillip\IETldCache
2009-07-07 01:58 102,912 -------- c:\windows\system32\dllcache\iecompat.dll
2009-07-07 01:58 <DIR> --d----- c:\windows\ie8updates
2009-07-07 01:57 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-07 01:57 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-07 01:55 <DIR> -cd-h--- c:\windows\ie8
2009-07-01 01:41 <DIR> --d----- c:\program files\Ventrilo
2009-07-01 01:41 262 a------- c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini

==================== Find3M ====================

2009-07-18 09:16 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-05 14:16 58,088 a---h--- c:\windows\system32\mlfcache.dat
2009-06-16 15:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 15:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 15:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 15:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 20:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 20:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2009-05-17 08:52 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-13 06:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 06:15 5,936,128 -------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 06:15 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 16:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-30 22:22 1,985,024 -------- c:\windows\system32\dllcache\iertutil.dll
2009-04-30 22:22 11,064,832 -------- c:\windows\system32\dllcache\ieframe.dll
2009-04-30 22:22 1,207,808 -------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 22:22 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 22:22 385,536 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 12:21 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-29 05:55 133,120 a------- c:\windows\system32\dllcache\extmgr.dll
2008-08-08 12:59 232 a------- c:\documents and settings\phillip\options.dat
2005-09-24 23:18 32 a----r-- c:\documents and settings\all users\hash.dat
2008-08-30 04:24 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008083020080831\index.dat

============= FINISH: 20:52:56.43 ===============

Attached Files



#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:44 PM

Posted 28 July 2009 - 09:04 PM

Hello p_mcc :thumbup2: Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





Please perform the following:


Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.


    Posted Image
    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries



Please do not post any logs as an attachment unless asked to do so.





Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 p_mcc

p_mcc
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 29 July 2009 - 03:27 AM

Gah, went to bed 10 minutes too early.

Here's my GMER text log; I'll attach it as well if it decides to format horribly:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-29 09:25:36
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code 86DE2DF8 ZwEnumerateKey
Code 86DDEEA8 ZwFlushInstructionCache
Code 86DE7BF6 IofCallDriver
Code 86DE8AF6 IofCompleteRequest
Code 86DDEC4D ZwSaveKey
Code 86DDDE55 ZwSaveKeyEx

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.15 ----

Attached Files



#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:44 PM

Posted 29 July 2009 - 07:34 AM

Need to run another rootkit scan:

No need to post these as an attachment. Just make your reply in the window.

  • Download RootRepeal from the following location and save it to your desktop.
  • Extract the contents of RootRepeal.zip, to your desktop.
  • Double click Posted Image on your desktop.
  • Click on the report tab, then click scan
  • Check all six boxes:
    Drivers
    Files
    Processes
    SSDT
    Stealth Objects
    Hidden Services
  • Click Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, Click the Save Report button. Save the log as RootRepeal.txt and post it in your next reply.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 p_mcc

p_mcc
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 29 July 2009 - 09:23 AM

Scanning now, although I got 5 'could not scan boot sector' errors before it finally loaded.
For your response libraries, the newest version of RootRepeal offers a seventh checkbox - "Shadow SSDT" - I left it unchecked.

As well, while it's running, a few questions:
-When I picked up the trojans and god knows whatever else, I quickly disconnected my external hard drive. I have a USB pen drive, and I've gathered up all essential files into one important folder, which I intend to try and back up if possible. Does my external hard drive pose any sort of security risk, and what about connecting the pen drive? If you don't know yet for sure, it's not a problem. The pen drive has had no contact with the computer, and the external hard drive has been sat here disconnected since.
-Is this likely to be fixed within the next 9 or 10 hours? I am checking this every half an hour (except just now when I was in town) to try and minimise response times on my part. If it can't be, is it possible to place this on hold for a couple of weeks?

Okay, scan over, here's the report.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/29 14:56
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEE598000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7D82000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xED422000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\SYSTEM32\UACabedxijoln.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\SYSTEM32\UAChpyvbftkbe.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\SYSTEM32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\SYSTEM32\UACjpwkpalbbmyfyqvpa.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\SYSTEM32\UAClwggdbfqpapbisikg.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\SYSTEM32\UACrfketicgkbtjpkkaw.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\SYSTEM32\UACrmtcvnqkvxyxfqqjn.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\SYSTEM32\UACsqqqpfqmlxsqlakho.db
Status: Invisible to the Windows API!

Path: C:\WINDOWS\SYSTEM32\UACxvnsjxxtepytnmbbk.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\SYSTEM32\UACyelyxurrjkdfrxdke.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC5a02.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC6429.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC6bbb.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACd920.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\SYSTEM32\DRIVERS\UACcdewucblxovvyvxpm.sys
Status: Invisible to the Windows API!

Path: c:\documents and settings\phillip\local settings\temp\~df1346.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\phillip\local settings\temp\~df135e.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\phillip\local settings\temp\~dfaec0.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\phillip\local settings\temp\~dfaf6d.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\Phillip\Local Settings\Temp\UACa955.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\31\31-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v31-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v31-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\11\11-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v11-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v11-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\12\12-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v12-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v12-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\13\13-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v13-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v13-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\14\14-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v14-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v14-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\15\15-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v15-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v15-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\16\16-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v16-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v16-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\17\17-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v17-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v17-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\18\18-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v18-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v18-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\19\19-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v19-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v19-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\20\20-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v20-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v20-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\21\21-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v21-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v21-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\22\22-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v22-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v22-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\23\23-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v23-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v23-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\24\24-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v24-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v24-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\25\25-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v25-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v25-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\26\26-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v26-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v26-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\27\27-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v27-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v27-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\28\28-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v28-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v28-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\29\29-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v29-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v29-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\30\30-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v30-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v30-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\32\32-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v32-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v32-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\33\33-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v33-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v33-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\34\34-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v34-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v34-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\35\35-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v35-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v35-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\36\36-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v36-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v36-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\37\37-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v37-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v37-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\38\38-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v38-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v38-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\39\39-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v39-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v39-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\40\40-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v40-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v40-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\41\41-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v41-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v41-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\42\42-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v42-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v42-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\43\43-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v43-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v43-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\44\44-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v44-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v44-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\45\45-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v45-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v45-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\46\46-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v46-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v46-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\47\47-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v47-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v47-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\48\48-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v48-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v48-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\49\49-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v49-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v49-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\50\50-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v50-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v50-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\51\51-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v51-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v51-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\52\52-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v52-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v52-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\53\53-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v53-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v53-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\54\54-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v54-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v54-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\55\55-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v55-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v55-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\phillip.mccullough@hotmail.com\SharingMetadata\soph_281@hotmail.com\DFSR\Staging\CS{E0F78801-A3DF-7F02-9FDA-AAEB4FF6FBBC}\56\56-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v56-{D0897474-1CE4-46CA-8059-B6618BA8E18F}-v56-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\pipmuk@hotmail.com\SharingMetadata\arnon12@hotmail.com\DFSR\Staging\CS{618B5889-7A22-2F9E-FF45-66BC1C9607CF}\11\11-{B84C7A9A-A645-4060-8233-02E6B60253AC}-v11-{B84C7A9A-A645-4060-8233-02E6B60253AC}-v11-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\pipmuk@hotmail.com\SharingMetadata\arnon12@hotmail.com\DFSR\Staging\CS{618B5889-7A22-2F9E-FF45-66BC1C9607CF}\12\12-{B84C7A9A-A645-4060-8233-02E6B60253AC}-v12-{B84C7A9A-A645-4060-8233-02E6B60253AC}-v12-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\pipmuk@hotmail.com\SharingMetadata\arnon12@hotmail.com\DFSR\Staging\CS{618B5889-7A22-2F9E-FF45-66BC1C9607CF}\13\13-{B84C7A9A-A645-4060-8233-02E6B60253AC}-v13-{B84C7A9A-A645-4060-8233-02E6B60253AC}-v13-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\pipmuk@hotmail.com\SharingMetadata\arnon12@hotmail.com\DFSR\Staging\CS{618B5889-7A22-2F9E-FF45-66BC1C9607CF}\14\14-{B84C7A9A-A645-4060-8233-02E6B60253AC}-v14-{B84C7A9A-A645-4060-8233-02E6B60253AC}-v14-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Phillip\Local Settings\Application Data\Microsoft\Messenger\pipmuk@hotmail.com\SharingMetadata\arnon12@hotmail.com\DFSR\Staging\CS{618B5889-7A22-2F9E-FF45-66BC1C9607CF}\15\15-{B84C7A9A-A645-4060-8233-02E6B60253AC}-v15-{B84C7A9A-A645-4060-8233-02E6B60253AC}-v15-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Stealth Objects
-------------------
Object: Hidden Module [Name: UACabedxijoln.dll]
Process: winlogon.exe (PID: 1220) Address: 0x00740000 Size: 49152

Object: Hidden Module [Name: UAChpyvbftkbe.dll]
Process: winlogon.exe (PID: 1220) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACabedxijoln.dll]
Process: services.exe (PID: 1268) Address: 0x00760000 Size: 49152

Object: Hidden Module [Name: UAChpyvbftkbe.dll]
Process: services.exe (PID: 1268) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACabedxijoln.dll]
Process: lsass.exe (PID: 1280) Address: 0x007e0000 Size: 49152

Object: Hidden Module [Name: UAChpyvbftkbe.dll]
Process: lsass.exe (PID: 1280) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACjpwkpalbbmyfyqvpa.dll]
Process: svchost.exe (PID: 1448) Address: 0x02ac0000 Size: 217088

Object: Hidden Module [Name: UAChpyvbftkbe.dll]
Process: svchost.exe (PID: 1448) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACabedxijoln.dll]
Process: svchost.exe (PID: 1448) Address: 0x007c0000 Size: 49152

Object: Hidden Module [Name: UACyelyxurrjkdfrxdke.dll]
Process: svchost.exe (PID: 1448) Address: 0x00ad0000 Size: 73728

Object: Hidden Module [Name: UAChpyvbftkbe.dll]
Process: svchost.exe (PID: 1448) Address: 0x00d70000 Size: 45056

Object: Hidden Module [Name: UACabedxijoln.dll]
Process: svchost.exe (PID: 1448) Address: 0x02e60000 Size: 49152

Object: Hidden Module [Name: UAC5a02.tmppalbbmyfyqvpa.dll]
Process: svchost.exe (PID: 1448) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UAChpyvbftkbe.dll]
Process: svchost.exe (PID: 1576) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACabedxijoln.dll]
Process: svchost.exe (PID: 1576) Address: 0x007c0000 Size: 49152

Object: Hidden Module [Name: UAC5a02.tmppalbbmyfyqvpa.dll]
Process: svchost.exe (PID: 1576) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UAChpyvbftkbe.dll]
Process: svchost.exe (PID: 1616) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACabedxijoln.dll]
Process: svchost.exe (PID: 1616) Address: 0x007c0000 Size: 49152

Object: Hidden Module [Name: UAC5a02.tmppalbbmyfyqvpa.dll]
Process: svchost.exe (PID: 1616) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UAChpyvbftkbe.dll]
Process: svchost.exe (PID: 1660) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACabedxijoln.dll]
Process: svchost.exe (PID: 1660) Address: 0x007c0000 Size: 49152

Object: Hidden Module [Name: UAC5a02.tmppalbbmyfyqvpa.dll]
Process: svchost.exe (PID: 1660) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UAChpyvbftkbe.dll]
Process: svchost.exe (PID: 1848) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACabedxijoln.dll]
Process: svchost.exe (PID: 1848) Address: 0x007c0000 Size: 49152

Object: Hidden Module [Name: UAC5a02.tmppalbbmyfyqvpa.dll]
Process: svchost.exe (PID: 1848) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UAChpyvbftkbe.dll]
Process: svchost.exe (PID: 1964) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACabedxijoln.dll]
Process: svchost.exe (PID: 1964) Address: 0x007c0000 Size: 49152

Object: Hidden Module [Name: UAC5a02.tmppalbbmyfyqvpa.dll]
Process: svchost.exe (PID: 1964) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACabedxijoln.dll]
Process: spoolsv.exe (PID: 552) Address: 0x00a40000 Size: 49152

Object: Hidden Module [Name: UAChpyvbftkbe.dll]
Process: spoolsv.exe (PID: 552) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UAChpyvbftkbe.dll]
Process: svchost.exe (PID: 648) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACabedxijoln.dll]
Process: svchost.exe (PID: 648) Address: 0x007c0000 Size: 49152

Object: Hidden Module [Name: UAC5a02.tmppalbbmyfyqvpa.dll]
Process: svchost.exe (PID: 648) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACabedxijoln.dll]
Process: AppleMobileDeviceService.exe (PID: 732) Address: 0x007d0000 Size: 49152

Object: Hidden Module [Name: UAChpyvbftkbe.dll]
Process: AppleMobileDeviceService.exe (PID: 732) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACabedxijoln.dll]
Process: avgwdsvc.exe (PID: 772) Address: 0x00800000 Size: 49152

Object: Hidden Module [Name: UAChpyvbftkbe.dll]
Process: avgwdsvc.exe (PID: 772) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACabedxijoln.dll]
Process: mDNSResponder.exe (PID: 824) Address: 0x00810000 Size: 49152

Object: Hidden Module [Name: UAChpyvbftkbe.dll]
Process: mDNSResponder.exe (PID: 824) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UAChpyvbftkbe.dll]
Process: cvpnd.exe (PID: 876) Address: 0x00d00000 Size: 45056

Object: Hidden Module [Name: UACabedxijoln.dll]
Process: cvpnd.exe (PID: 876) Address: 0x00e70000 Size: 49152

Object: Hidden Module [Name: UAChpyvbftkbe.dll]
Process: svchost.exe (PID: 1012) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UACabedxijoln.dll]
Process: svchost.exe (PID: 1012) Address: 0x007c0000 Size: 49152

Object: Hidden Module [Name: UAC5a02.tmppalbbmyfyqvpa.dll]
Process: svchost.exe (PID: 1012) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACabedxijoln.dll]
Process: Explorer.EXE (PID: 1944) Address: 0x00ce0000 Size: 49152

Object: Hidden Module [Name: UAChpyvbftkbe.dll]
Process: Explorer.EXE (PID: 1944) Address: 0x10000000 Size: 45056

Object: Hidden Module [Name: UACabedxijoln.dll]
Process: symlcsvc.exe (PID: 260) Address: 0x00b50000 Size: Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACcdewucblxovvyvxpm.sys

==EOF==

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:44 PM

Posted 29 July 2009 - 11:30 AM

I'll try to answer your other questions a little later but I wouldn't count on this being corrected right away. I don't have enough info and even if I did every machine is different. It could take a day or two and it may take longer. I can't make any type prognostication on that.

I'll be back this afternoon sometime.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:44 PM

Posted 29 July 2009 - 04:28 PM

If I understand correctly and you want to know if you can back up your files now the answer if it will be alright except for the ones with the following extensions:

Note that the files with the following extensions should not be backed up:exe/.scr/.htm/.html/.xml/.zip/.rar/.asp/.php



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#10 p_mcc

p_mcc
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 29 July 2009 - 05:47 PM

Is it somehow possible to keep this topic on hold for the next couple of weeks? I am sorry for inconveniencing you like this, but I have a plane to catch in all of 7 hours :-/
For now the infected computer will be shut off at the mains, and as soon as I get back within about 2 weeks, I will run combofix. If necessary, I can bump this thread every few days to avoid any automatic pruning procedures you may have in place.

Sorry about this; I appreciate the help very much!

#11 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:44 PM

Posted 29 July 2009 - 06:23 PM

Sure, I'll keep it open and when you get back let me know.

Have a safe trip. :thumbup2:
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#12 p_mcc

p_mcc
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 16 August 2009 - 10:56 AM

I am back; thank you for keeping this topic open, it is much appreciated.

I have backed up my files sucessfully and downloaded combofix.

However, I have double clicked and it appears that it is being throttled by the malware like spybot. ComboFix.exe exists in task manager but not on the desktop. I am guessing that you're going to get me to download it as Combo-Fix.exe or something and evade it that way - but as usual, I'll await further instruction so I don't make your job harder.

#13 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:44 PM

Posted 16 August 2009 - 11:36 AM

You're welcome!

Yes, let's delete the version you have now and download a new version. Try renaming it to something like phillip.exe but it really needs to be on your Desktop.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#14 p_mcc

p_mcc
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 16 August 2009 - 11:55 AM

Sorry, should have been clearer in my last reply; I did download to desktop, I meant that ComboFix was not visible on my computer screen.

I have downloaded under an alternative name, and it has loaded. It has now thrown a wobbly by saying that it's detected the 'ESET NOD32 antivitus system 2.70' real time scanner as active, and that I must disable it before clicking OK. I don't have ESET NOD32 anti-virus on my computer (I think I had the trial version and then replaced it with AVG, which IS disabled); I did do the NOD32 online scan, but are unsure how to remove traces of this before continuing.

#15 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:44 PM

Posted 16 August 2009 - 12:17 PM

Run this for me real quick. Shouldn't take long. Post both logs in the window provided not as attachments:
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users